VIM Connector Configurations · ESCVIM Description Permission Note Operation TocreateNotrequired a...
Transcript of VIM Connector Configurations · ESCVIM Description Permission Note Operation TocreateNotrequired a...
VIM Connector Configurations
• VIM Connector Configurations for OpenStack, on page 1• VIM Connector Configurations for AWS, on page 7• VIM Connector Configuration for VMware vCloud Director (vCD), on page 8
VIM Connector Configurations for OpenStackYou can configure the VIM connector for OpenStack specific operations.
To configure a VIM connector, seeConfiguring the VIM Connector .Note
Creating Non-admin Roles for ESC Users in OpenStack
By default, OpenStack assigns an admin role to the ESC user. Some policies may restrict using the defaultadmin role for certain ESC operations. Starting from ESC Release 3.1, you can create non-admin roles withlimited permissions for ESC users in OpenStack.
To create a non-admin role,
1. Create a non-admin role in OpenStack.
2. Assign the non-admin role to the ESC user.
You must assign ESC user roles in OpenStack Horizon (Identity) or using the OpenStack command lineinterface. For more details see, OpenStack Documentation.
The role name can be customized in OpenStack. By default, all non-admin roles in OpenStack have thesame level of permissions.
3. Grant the required permissions to the non-admin role.
You must modify the policy.json file to provide the necessary permissions.
You must grant permissions to the create_port: fixed_ips and create_port: mac_address parameters in thepolicy.json file for ESC user role to be operational.
Note
VIM Connector Configurations1
The table below lists the ESC operations that can be performed by the non-admin role after receiving thenecessary permissions.
Table 1: Non-admin role permissions for ESC operations
NotePermissionDescriptionESC VIM
Operation
For ESC managed OpenStack project,adding the
user to the project with a role requiresidentity:create_grant.
/ e t c / k e y s t o n e / p o l i c y . j s o n
" i d e n t i t y : c r e a t e _ p r o j e c t "
"identity:create_grant"
To createa nOpenStackproject
C r e a t eProject
/ e t c / k e y s t o n e / p o l i c y . j s o n
"identity:delete_project"
To deletea nOpenStackproject
D e l e t eProject
The owner (a user in the target project) canquery.
You can retrieve public or shared images.
Not requiredTo get alist of allimages
Q u e r yImage
By default an admin can create a publicimage.
Publicizing an image is protected by thepolicy.
/ e t c / g l a n c e / p o l i c y . j s o n
"publicize_image"
To createa publicimage
C r e a t eImage
You can use the following to create a privateimage
<image> <name>mk-test-image</name>
... <disk_bus>virtio</disk_bus>
<visibility>private</visibility>
</image>
Not requiredTo createa privateimage
The owner can delete the image.Not requiredTo deletean image
D e l e t eImage
The owner can query a flavor.
You can query public flavors as well.
Not requiredTo query apre-existingflavor
Q u e r yFlavor
Managing a flavor is typically only
available to administrators of a cloud.
/ e t c / n o v a / p o l i c y . j s o n
"os_compute_api:os-flavor-manage"
To createa n e wflavor
C r e a t eFlavor
/ e t c / n o v a / p o l i c y . j s o n
"os_compute_api:os-flavor-manage"
To deletea flavor
D e l e t eFlavor
Owner can get the list of networks includingshared networks.
/ e t c / n e u t r o n / p o l i c y . j s o n
"get_network"
To get al i s t o fnetworks
Q u e r yNetwork
VIM Connector Configurations2
VIM Connector ConfigurationsVIM Connector Configurations for OpenStack
NotePermissionDescriptionESC VIM
Operation
Not requiredTo createa normalnetwork
C r e a t eNetwork
You need these rules when you are creatingnetwork
with physical_network (e.g., SR-IOV), ornetwork_type (e.g., SR-IOV), orsegmentation_id (e.g., 3008), or set thenetwork for sharing.
< n e t w o r k >
<name>provider-network</name> <!--
<shared>false</shared> //default is
t r u e - - >
<admin_state>true</admin_state>
<provider_physical_network>VAR_PHYSICAL_NET
</provider_physical_network>
< p r o v i d e r _ n e t w o r k _ t y p e > v l a n
< / p r o v i d e r _ n e t w o r k _ t y p e >
<provider_segmentation_id>2330
</provider_segmentation_id> ...
</network>
/ e t c / n e u t r o n / p o l i c y . j s o n
"create_network:provider:physical_network"
"create_network:provider:network_type"
"create_network:provider:segmentation_id"
"create_network:shared"
To createn e two r kw i t hs p e c i a lcases
The owner can delete the network.Not requiredTo deletea network
D e l e t eNetwork
The network owner can get a list of thesubnets.
You can get a list of subnets from a sharednetwork as well.
< n e t w o r k >
<name>esc-created-network</name>
<!--network must be created by ESC-->
<admin_state>false</admin_state>
< s u b n e t >
<name>makulandyescextnet1-subnet1</name>
< i p v e r s i o n > i p v 4 < / i p v e r s i o n >
< d h c p > t r u e < / d h c p >
< a d d r e s s > 1 0 . 6 . 0 . 0 < / a d d r e s s >
<netmask>255.255.0.0</netmask>
</subnet> </network>
/ e t c / n e u t r o n / p o l i c y . j s o n
"get_subnet"
To get al i s t o fsubnets
Q u e r ySubnet
The network owner can create a subnet.Not requiredTo createa subnet
C r e a t eSubnet
The network owner can delete a subnet.Not requiredTo deletea subnet
D e l e t eSubnet
VIM Connector Configurations3
VIM Connector ConfigurationsVIM Connector Configurations for OpenStack
NotePermissionDescriptionESC VIM
Operation
The owner can get a list of ports.Not requiredG e t apre-existingport
Q u e r yPort
Not requiredTo createa networkinterfacew i t hDHCP
C r e a t ePort
<interfaces> <interface>
< n i c i d > 0 < / n i c i d >
<mac_address>fa:16:3e:73:19:b5</mac_address>
< n e t w o r k > e s c - n e t < / n e t w o r k >
</interface> </interfaces>VMrecoveryalso requires this privilege.
/ e t c / n e u t r o n / p o l i c y . j s o n
"create_port:mac_address"
Create an e two r kinterfacew i t h am a caddress
<subnet> <name>IP-pool-subnet</name>
< i p v e r s i o n > i p v 4 < / i p v e r s i o n >
< d h c p > f a l s e < / d h c p >
<address>172.16.0.0</address>
<netmask>255.255.255.0</netmask>
<gateway>172.16.0.1</gateway>
</subnet><shared_ip> <nicid>0</nicid>
<static>false</static> </shared_ip>
VM recovery also requires this privilege.
/ e t c / n e u t r o n / p o l i c y . j s o n
"create_port:fixed_ips"
To createa networkinterfacew i t h afixed IP orshared ips
The owner can update the port.Not requiredU p d a t ep o r td e v i c eowner
Upda t ePort
<interface> <nicid>0</nicid>
<network>VAR_MANAGEMENT_NETWORK_ID</network>
<allowed_address_pairs> <network>
<name>VAR_MANAGEMENT_NETWORK_ID</name>
< / n e t w o r k > < a d d r e s s >
<ip_address>172.16.0.0</ip_address>
<netmask>255.255.0.0</netmask>
< / a d d r e s s > < a d d r e s s >
<ip_address>172.16.6.1</ip_address>
<ip_prefix>24</ip_prefix> </address>
</allowed_address_pairs> </interface>
/ e t c / n e u t r o n / p o l i c y . j s o n
"update_port:allowed_address_pairs"
U p d a t eport toa l l o wa d d r e s spairs
The owner can delete the port.Not requiredTo deletea port
D e l e t ePort
VIM Connector Configurations4
VIM Connector ConfigurationsVIM Connector Configurations for OpenStack
NotePermissionDescriptionESC VIM
Operation
The owner can get the list of volumes.Not requiredTo get al i s t o fvolumes
Q u e r yVolume
Not requiredTo createa volume
C r e a t eVolume
The owner can delete the volume.Not requiredTo deletea volume
D e l e t eVolume
The owner can get the list of all the VMs ina project.
Not requiredTo get allthe VMsi n aproject
Q u e r yVM
Not requiredTo createa VM
C r e a t eVM
<placement> <type>zone_host</type>
<enforcement>strict</enforcement>
<host>anyHOST</host> </placement>
/ e t c / n o v a / p o l i c y . j s o n
"os_compute_api:servers:create:forced_host"
To createa VM in ah o s tt a rg e t e ddeployment
Not requiredTo createVMs in az o n et a rg e t e ddeployment
Not requiredTo createVMs inthe sameHost
Affinity/Anti-affinity
This support is for intragroup anti-affinityonly.
Not requiredTo createVMs in aservergroup
Affinity/Anti-affinity
The owner can delete the VM.Not requiredTo deletea VM
D e l e t eVM
For more details on managing resources on OpenStack, see Managing Resources on OpenStack.
VIM Connector Configurations5
VIM Connector ConfigurationsVIM Connector Configurations for OpenStack
Overwriting OpenStack EndpointsBy default, ESC uses endpoints catalog return option provided by OpenStack after a successful authentication.ESC uses these endpoints to communicate with different APIs in OpenStack. Sometimes the endpoints arenot configured correctly, for example, the OpenStack instance is configured to use KeyStone V3 forauthentication, but the endpoint returned from OpenStack is for KeyStone V2. You can overcome this byoverwriting the OpenStack endpoints.
You can overwrite (configure) the OpenStack endpoints while configuring the VIM connector. This can bedone at the time of installation using the bootvm.py parameters, and using the VIM connector APIs.
The following OpenStack endpoints can be configured using the VIM connector configuration:
• OS_IDENTITY_OVERWRITE_ENDPOINT
• OS_COMPUTE_OVERWRITE_ENDPOINT
• OS_NETWORK_OVERWRITE_ENDPOINT
• OS_IMAGE_OVERWRITE_ENDPOINT
• OS_VOLUME_OVERWRITE_ENDPOINT
To overwrite OpenStack endpoints at the time of installation, a user can create an esc configuration parametersfile, and pass the file as an argument to bootvm.py while deploying an ESC VM.
Below is an example of the param.conf file:openstack.os_identity_overwrite_endpoint=http://www.xxxxxxxxxxx.com
For more information on configuring the VIM connector at the time of Installation, see Configuring the VIMConnector.
To overwrite (configure) the OpenStack endpoints for a non-default VIM connector using the VIM connectorAPIs (both REST and NETCONF), add the overwriting endpoints as the VIM connector properties eitherwhile creating a new VIM connector or updating an existing one.
Each VIM connector can have its own overwriting endpoints. There is no default overwriting endpoint.
In the example below, os_identity_overwrite_endpoint and os_network_overwrite_endpoint properties areadded to overwrite the endpoints.<esc_system_config xmlns="http://www.cisco.com/esc/esc"><vim_connectors><!--represents a vim--><vim_connector><id>default_openstack_vim</id><type>OPENSTACK</type><properties><property><name>os_auth_url</name><value>http://172.16.0.0:35357/v3</value>
</property><property><name>os_project_domain_name</name><value>default</value>
</property><property><name>os_project_name</name><value>admin</value>
</property><property>
VIM Connector Configurations6
VIM Connector ConfigurationsOverwriting OpenStack Endpoints
<name>os_identity_overwrite_endpoint</name><value>http://some_server:some_port/</value>
</property><property><name>os_network_overwrite_endpoint</name><value>http://some_other_server:some_other_port/</value>
</property></properties>
</vim_connector></vim_connectors>
</esc_system_config>
VIM Connector Configurations for AWSYou can set the VIM credentials for an AWS deployment using the VIM connector and VIM User API.
AWS deployment does not support default VIM connector.Note
The VIM connector aws_default_region value provides authentication, and updates the VIM status. Thedefault region cannot be changed after authentication.
Configuring the VIM Connector
To configure the VIM connector for AWS deployment, provide the AWS_ACCESS_ID, AWS_SECRET_KEYfrom your AWS credentials.[admin@localhost ~]# esc_nc_cli edit-configaws-vim-connector-example.xml
To edit the existing VIM connector configuration, use the same command after making the necessary changes.Note
The AWS VIM connector example is as follows:
<esc_system_config xmlns="http://www.cisco.com/esc/esc"><vim_connectors>
<vim_connector><id>AWS_EAST_2</id><type>AWS_EC2</type><properties>
<property><name>aws_default_region</name><value>us-east-2</value>
</property></properties><users>
<user><id>AWS_ACCESS_ID</id><credentials>
<properties><property>
<name>aws_secret_key</name><encrypted_value>AWS_SERCRET_KEY</encrypted_value>
</property></properties>
VIM Connector Configurations7
VIM Connector ConfigurationsVIM Connector Configurations for AWS
</credentials></user>
</users></vim_connector>
</vim_connectors></esc_system_config>
Deleting VIM Connector
To delete the existing VIM connector, you must first delete the deployment, the VIM user, and then the VIMconnector.
[admin@localhost ~]# esc_nc_cli delete-vimuserAWS_EAST_2 AWS_ACCESS_ID
[admin@localhost ~]# esc_nc_cli delete-vimconnectorAWS_EAST_2
You can configure multiple VIM connectors, but for the same VIM type.
The VIM connectors for AWS deployment must be configured using the VIM connector API.
ESC supports one VIM user per VIM connector.
The VIM connector and its properties cannot be updated after deployment.
Note
For information on deploying VNFs on AWS, seeDeploying VNFs on a Single or Multiple AWS Regions .
VIM Connector Configuration for VMware vCloud Director (vCD)Youmust configure a VIM connector to connect to the vCD organization. The organization and the organizationuser must be preconfigured in the VMware vCD. For the deployment datamodel, see the Deploying VirtualNetwork Functions on VMware vCloud Director (vCD).
The VIM connector details are as follows:
<?xml version="1.0" encoding="UTF-8"?><esc_system_config xmlns="http://www.cisco.com/esc/esc">
<vim_connectors><vim_connector>
<id>vcd_vim</id><type>VMWARE_VCD</type><properties>
<property><name>authUrl</name><!-- vCD is the vCD server IP or host name --><value>https://vCD</value>
</property></properties><users>
<user><!-- the user id here represents {org username}@{org name} --><id>user@organization</id><credentials>
<properties>
VIM Connector Configurations8
VIM Connector ConfigurationsVIM Connector Configuration for VMware vCloud Director (vCD)
<property><name>password</name><!—the organization user’s password-->
<value>put user’s password here</value></property>
</properties></credentials>
</user></users>
</vim_connector></vim_connectors>
</esc_system_config>
VIM Connector Configurations9
VIM Connector ConfigurationsVIM Connector Configuration for VMware vCloud Director (vCD)
VIM Connector Configurations10
VIM Connector ConfigurationsVIM Connector Configuration for VMware vCloud Director (vCD)